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About this Guide 
About Qualys 


About this Guide 


Welcome to Qualys Container Security! We'll help you get acquainted with the Qualys 
solutions for securing your Container environments like Images, Containers and Docker 
Hosts using the Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


About Container Security Documentation 


This document provides information about using the Qualys Container Scanning 
Connector for Azure DevOps. 


For information on using the Container Security UI to monitor vulnerabilities in Images, 
Containers, and Registries, refer to the Qualys Container Security User Guide. 


For information on deploying the sensor on MAC, CoreOS, and various orchestrators and 
cloud environments, refer to the Qualys Container Sensor Deployment Guide. 


For information on using the Container Security API, refer to the Qualys Container 
Security API Guide. 


Container Security Overview 


Container Security Overview 


Qualys Container Security provides discovery, tracking, and continuously protecting 
container environments. This addresses vulnerability management for images and 
containers in their DevOps pipeline and deployments across cloud and on-premise 
environments. 
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With this version, Qualys Container Security supports 

- Discovery, inventory, and near-real time tracking of container environments 
- Vulnerability analysis for images and containers 

- Vulnerability analysis for registries 

- Integration with CI/CD pipeline using APIs (DevOps flow) 


- Uses new 'Container Sensor' - providing native container support, distributed as 
container image 


Upon installation, the sensor does automatic discovery of Images and Containers on the 
deployed host, provides a vulnerability analysis of them, and additionally it monitors and 
reports on the docker related events on the host. The sensor lists and scans registries for 
vulnerable images. The sensor container runs in non-privileged mode. It requires a 
persistent storage for storing and caching files. 


Currently, the sensor only scans Images and Containers. For getting a vulnerability 
posture on the Host, you would require Qualys Cloud Agents or a scan through Qualys 
Virtual Scanner Appliance. 


Container Security Overview 
What data does Container Security collect? 


What data does Container Security collect? 


The Qualys Container Security sensor fetches the following information about Images and 
Containers in your environment: 


- Inventory of Images and Containers in your environment from commands such as 
docker ps that lists all containers. 


- Metadata information about Images and Containers from commands such as docker 
inspect and docker info that fetches low level information on docker objects. 


- Event information about Images and Containers from the docker host for docker events 
like created, started, killed, push, pull, etc. 


- Vulnerabilities found on Images and Containers. This is the output of the vulnerability 
management manifests run for identifying vulnerability information in Images and 
Containers. This is primarily software package listing, services running, ports, etc. 


For example, package manager outputs like rpm -qa, npm. This is supported across 
various Linux distributions (CentOS, Ubuntu, CoreOS, etc) and across images like Python, 
NodeJS, Ruby, and so on. 


Qualys Container Scanning Connector for Azure DevOps 


Qualys Container Security provides a plugin for Azure DevOps to get the security posture 
for the container images built via the tool. The plugin can be configured to fail or pass the 
container image builds based on the vulnerabilities detected. 


Get Started 
What you'll need 


Get Started 


Follow the steps to get started with Qualys Container Scanning Connector for Azure 
DevOps. 


What you'll need 
- Avalid Qualys subscription with the Container Security application activated. 
- Access to Qualys Container Security application API endpoint from your build host. 


- Requires the container sensor for CI/CD environment to be installed on the Azure 
DevOps build host. Refer to the Qualys Container Sensor Deployment Guide for 
instructions on installing the container cicd sensor. You must pass the following 
parameter while deploying the sensor for CI/CD environment - -cicd-deployed-sensor 
or -c. 


- Azure DevOps CICD tool version 1.0 or later. 


- Internet connection for agent to be able to connect to the Qualys Cloud Platform. Install 
sensor with proxy option if agent is running behind proxy. 


- The Azure DevOps services and agents should have an open connection to the Qualys 
Cloud Platform in order to get data from the Qualys Cloud Platform for vulnerability 
reporting. 


Qualys Container Scanning Connector automatically tags images built out of CI/CD 
pipeline with the tag qualys_scan_target:<image-sha> to mark them for scanning and only 
those images are scanned for vulnerabilities. Once the scanning is over, Qualys Container 
Sensor will remove the tag. However, if an image has no other tag applied to it other than 
'qualys scan target:«image-sha»', the sensor will retain the tag to avoid removal of the 
image from the host. 


Get Started 
Recommended setup for server-agent deployment 


Recommended setup for server-agent deployment 


Qualys Container Scanning Connector for Azure DevOps should be deployed on the Azure 
DevOps services. Qualys Container Security Sensor should be installed where the docker 
daemon is running. If the docker daemon is running on Azure DevOps agent, install the 
Sensor on Azure DevOps agent. If the docker daemon is running on a remote host, install 
the sensor over there. Please refer to the Qualys Container Sensor Deployment Guide for 
deployment instructions. 


Following figure shows the docker daemon running on Azure DevOps agent. 
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Following figure shows the docker daemon running on a remote host. 
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Note that the plugin will make a call to check if the sensor container is running on the 
host and if it is installed in the CI/CD mode. 


Get Started 
Install the Plugin 


Install the Plugin 


You can install the Qualys Container Scanning Connector for Azure DevOps from Azure 
DevOps marketplace. 


Installing the plugin from Azure DevOps marketplace 
1) To install the plugin from Azure DevOps marketplace, login to your Azure DevOps 
instance. 


2) Click the — icon on the top pane at the right side of the page and choose Browse 
marketplace. Optionally, Click to Extensions on the left pane and click Browse 
marketplace located at the top right side of the right pane. The browser will open Azure 
DevOps marketplace page that displays plugins/extensions for Azure DevOps. 


3) In the search bar, enter Qualys to search for all the Qualys plugins. 
4) Click the Qualys Container Scanning Connector plugin in the plugin list. 
5) Click Get it free. You will be navigated to the Visual Studio|Marketplace screen. 


6) Select the organization from the drop-down and click Install to install the plugin in your 
Azure DevOps instance. You can see the installed plugin in the Installed tab when you 
navigate to Organization Settings > Extension. 


The Qualys Container Scanning Connector gets installed/updated in your Azure DevOps 
instance. In case of update, your existing configuration will continue to work. In case of 
fresh install, perform the configuration steps provided further in this document. 


Get Started 
Scanning CI/CD images 


Scanning CI/CD images 


Configure the Qualys Container Scanning Connector to automatically tag CI/CD images 
with 'qualys scan target:«image-id»'. 


Docker URL: Docker REST API URL / Docker socket path. Only unix:/// and tcp:// protocols 
allowed. 


Cert File Path: If you are using remote server enabled https, you can provide a specific 
folder location which contains the files ca.pem, cert.pem and key.pem. For example, 
/var/home/certs. 


Docker URL' 
unix:///var/run/docker.sock 
Docker daemon URL e.g. unix//[docker socket path] or tcp-//[host] [port] 


Docker Cert file path 


Docker URLs (unix socket or TCP) to be used in various docker deployment scenarios 


Deployment scenario Sensor location Docker URL to be used 

ob executed by Azure DevOps Azure DevOps UNIX 

agent AND agent unix:///var/run/docker.sock 
Docker host == Azure DevOps 

agent 
Job executed by Azure DevOps Remote docker TCP path of the Remote Docker 
agent host host: 
AND tcp://<ip_of_RDH>:<port> 
Docker Host == Remote docker host For example, 

any machine other than Azure tep://10.115.67.61:2375 
DevOps agent) 
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Start Using the Plugin 


Start Using the Plugin 


Qualys recommends to set up the Qualys Container Scanning Connector after the 
container image is built, and before the image is pushed to the registry. Ensure that you do 
not delete the image before the plugin setup is complete. 


You can use this plugin as a task in your Azure DevOps pipeline. After installing the 
Qualys Container Scanning Connector, you see this plugin as a task in your pipeline. In the 
Tasks tab, click Add Task under your agent job, and simply search for “Qualys” to get the 
“Scan container images with Qualys CS Plugin” task. Select the task and click Add to add it 
as a task. You will see the task under the agent. 


as CS Plugin for Azure Devops-CI 
Tasks Variables Triggers Options Retention History B se © 
Pipeline 

Add tasks © Refresh — 
y' Get sources 
E 

© Scan container images with Qualys CS IH 

Agent job 1 + 


Click the “Scan container images with Qualys CS Plugin” task. Now configure the plugin. 


Tasks Variables Triggers Options Retention History E Save & queue ses n a 
n e Scan container images with Qualys CS © 

ee MET T 
Agent job 1 + Display name * 


Scan container images with Qualys CS 
Scan container images with Qualys CS oi . y 
Scan container images with Qualys CS É Qualys Configuration ^ 
Qualys APIServer* © 
https://qualysapi.qulays.com 
Qualys Username * © 
api_user 


Qualys Password* © 


pass$23 
O Use Proxy © 


Image ID/Image Name * © 
java:latest 
Data Collection ^ 
How frequently to check for data in seconds Ç) 
30 
How long to wait for fetching vulnerability data in seconds Ç) 


600 


See Configuration Details 
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Start Using the Plugin 
Define container image Ids 


Define container image Ids 


In the plugin configuration there is a field called image ID/Image Name. Set this to a single 
container image Id or name you want to report on. The plugin will only pull a report for 
the image Id/name you specify. 


Enter a single string value like imageld: 'a1b2c3d4e5f6'. We also support SHA value of the 
image as the input to image ID. Specify an image name in the format repo: tag. 


If you provide an image name, the plugin fetches the corresponding sha-256. The plugin 
tries to fetch the image sha using the docker socket path configured in configuration. If 
your docker host is running locally to build tool/agent, the docker socket path is 
unix:///var/run/docker.sock; whereas if your docker host is running remotely, the docker 
socket path is the TCP URL to the remote docker host. See Scanning CI/CD images. 


Alternatively, you can also provide image id through an environment variable. Get the 
image id of the container image using the program created in earlier stages of the build 
and provide that id in the 'imageId' argument. For example, in pipeline script, you can get 
the image id by executing shell script and store it in an environment variable. And then 
use the same environment variable in 'Imageld' argument to provide the image id. 
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Configuration Details 


Provide the following configuration 
details: 


1) API login information (Select Use 
Proxy to provide proxy information). 


Note: Due to Azure DevOps 
limitations password string is visible 
on UI. To avoid disclosing password, 
use pipeline variable. 


2) container image ID / image name 
that you want to scan. Internally, 
image ID/image name is replaced 
with sha value of the image. 


3) data collection frequency. 


4) build failure conditions. 


5) specify the docker daemon URL in 
the Advance Settings section for 
plugin to connect to the docker 
daemon and tag the images 
specified in the input. 


(6) specify the variable in the Output 
Variable section. The Output 
variable will contain the evaluation 
result of the image vulnerabilities 
data against the build failure 
conditions. This is an optional 
setting and CS extension does not 
control the formatting of the JSON 
file. Hence, to have output in the 
proper JSON format, use any JSON 
specific utility. For example, in case 
of NodeJS script runner, you can add 
this line, "console.log 

(ISON. stringify($(qcs.imageScanSum 
mary)))" in the code along with the 
Output Variable from Qualys task as 
input to print the file in the proper 
JSON format. 
('qcs.imageScanSummary' is the 
output variable created in qualys 
task with 'qcs' provided as reference 
name by user) 


When you're ready, click Save 
Configuration. 


Task version 1.* v 


Display name * 
Scan container images with Qualys CS 

Qualys Configuration ^ 

Qualys API Server * @ 
https://qualysapi.gulays.com 

Qualys Username * © 
api_user 

Qualys Password * @ 
pass$23 

O Use Proxy © 

Image ID/Image Name* @) 


javarlatest 


Data Collection ~ 


How frequently to check for data in seconds Ç) 


30 


How long to wait for fetching vulnerability data in seconds (7) 


600 


Build Failure Conditions ^ 


@ Fail if severe vulnerabilities found © 


Fail when any vulnerability found with this severity or above * 


Exclude Conditions ^ 
Exclude Conditions Ç) 


None 


Advanced Settings ~ 
Docker URL * © 
unix:///var/run/docker.sock 


Docker Cert file path © 


Control Options v 
Output Variables ^ 
Reference name Q) 


cs 
Variables list 


© 
csiimageScanSummary — "* 
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Fail when any of these QIDs found © 
Fail when any of these CVEs found © 


Fail when any of these Software found © 


Fail build if CVSS score(more than configured) found © 


Apply above fail conditions to Potential vulnerabilities as well © 


Start Using the Plugin 
Define container image Ids 


e 


Start Using the Plugin 
Qualys API Server URL 


Qualys API Server URL 


The Qualys API URL you should use for API requests depends on the Qualys platform 
where your account is located. 


Click here to identify your Qualys platform and get the API URL 
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View Your Qualys Report 


View Your Qualys Report 


The plugin will generate report for the container image in the build. In a build, click the 
job which includes Qualys plugin and navigate to 'Qualys Image Scan Result’, to see 
vulnerability details for the container image. 


The reports shows vulnerabilities data in multiple tabs. 1) The Build Summary shows the 
criteria against which vulnerabilities are evaluated. These criteria are the configured 
failure conditions. A criteria is violated when vulnerabilities found in the scan matches 
one or more values set in the failure conditions for the criteria. 2) The Image Statistics 
provides a dashboard view of your security posture. 3) Go to Vulnerabilities for a list of 
detected QIDs, 4) Installed Software to see software detected on the container image, and 
5) Layers to view a list of layers the image is made of. 


Sample Build Summary view 


BUILD REPORT - d23bdf5b1b1b 


Bulld Summary 
Image Scan Status: Failed Image ID: d23bdfSbibib 
image Statistics 
Tags: latest, javat, latest Size: 613 MB 
Vulnerabilities 


Scan Report: Click here to view Image Summary on Qualys Portal 
Note: Valid credentials for the Qualys UI are required to view the report 
Installed Software 


Layers Image Scan Summary 


QDs CVEs CVSS Sofware MN d uad Severity3 Severity? — Severity 1 


"Excluded CVEs: CVE-2019.3462 CVE. 20178631 CVE-2018.7757 CVE-2017.8832 CVE-2018 7750, CVE-2019.3855 CVE-2019.385 


ans applied to patena! volnera^iünes as we 


Sample Image Statistics view 


Vulnerabilities Trend Confirmed Vulnerabilities (164) 
Build Summary 
150 
Image Statistics m | / 
10: * EN Sev 5(9) 
Vulnerabilities ENEN Sev 4 (15) 
13; 
Installed Software mmm Sev 
mum Sev 2 (4 
- - Sev 1 (1) 
Sr din Sev5 Sev 4 Sev3 Sev2 Sev1 


E Confirmed vulnerabilities in current build 


Potential Vulnerabilities (0) Patchability 


ENEN Yes (163) 
m No (1) 
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Debugging and Troubleshooting 
HTTP codes in API response 


Debugging and Troubleshooting 


HTTP codes in API response 


All API calls and their responses are logged by the plugin and are visible in the Console 
Output. Here are the HTTP response codes you may see during plugin execution. 


Code Error Description 


204 No content Qualys sensor is processing data. You'll see 200 OK 
when complete. 


200 OK You would see this code in two situations: 1) You might 
have received partial data from Qualys where image 
details are available but vulnerability data is not 
available. 2) Vulnerability data is also available. This is 


usually the last call, after which the thread for that 
image Id stops. 
500 Internal server Qualys service is down or there was an issue 
error processing data. 
400 Bad request Qualys API server is unable to understand the request. 
401 Unauthorized The credentials used for Qualys API server are 


incorrect or the user does not have access to the APIs. 


If you don't see any API calls being made... 


Make sure you're correctly passing image Ids to the plugin. When the plugin starts the 
execution, it will print the image Ids provided and you can see this in the Console Output. 
Check that the container image Ids you provided are printed. 


Plugin times out, no report seen 


The plugin is designed to keep polling the Qualys API until the configured timeout period 
is reached. If it does not get vulnerability data from Qualys within this period, it stops. In 
this case, the plugin will fail the build only if you have set any fail-on conditions. 
Otherwise, it will not fail the build. You will not see any report links since the plugin could 
not get vulnerability data, and could not prepare a report. 


How to fix this? 


On the Qualys Cloud Platform, go to Container Security » Assets » Images and verify if the 
image for which you are checking the vulnerabilities is present in the Images list. 


If the image is not present console logs have the following entry: 


Get scan result API for image e0111ddfea06 returned code : 404; 

HTTP Code: 404. Image: Not known to Qualys. Vulnerabilities: To be 
processed.. API Response : ('"errorCode":"CMS-2002", message" :"Data not 
available for given Image Id.","timestamp":1554568122039} 
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Debugging and Troubleshooting 
Want to contact Support? 


Ensure that the Qualys Container Sensor is installed on the host where image is being 
built. 


If the image is present, console logs have the following entry: 


Get scan result API for image cef4ca723229 returned code : 200; 
Waiting for vulnerabilities data from Qualys for image id cef4ca723229 
HTTP Code: 200. Image: known to Qualys. Vulnerabilities: To be processed. 


Wait for the vulnerabilities data to be uploaded to the Qualys Cloud Platform. 


Want to contact Support? 
Access online support information at www.qualys.com/support/ 


You'll typically need to provide the following information for Qualys Container Scanning 
Connector issues: 


- Version of the Qualys Container Scanning Connector 


- Azure DevOps services-agent topology - Whether the Docker daemon is on Azure 
DevOps agent or Remote host-agent topology 


- Pipeline build console logs 


17 


What's New 


What’s New 


Issue Fixed in 1.0.1 

We fixed an issue to allow Qualys Container Security Connector for Azure DevOps to 
accept special characters in passwords as per the Qualys password policy. 
Improvements in 1.1.0 


- We will now add the “lastScanned” filter in the call to CS API to ensure that plugin 
fetches the latest scan result for the specified image ID. 


- With this release, the plugin will use API v1.3. With the new version of API, the plugin 
will internally use the SHA value of the image to call the CS API when you pass image ID 
or image name in the input parameter. 


- The plugin will now check before tagging the image if the sensor container is running on 
the host and if it is installed in the CI/CD mode. 
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